1 The Best Biometrics
We will examine a few biometric technologies, but the most useful ones, by far, can be operated over the Internet, supporting self-service account creation using commodity hardware and software. The best biometrics are ones that: (1) people will use; (2) will not accept replay; and (3) others can use to identify fraudsters.
Biometrics uniquely identify you to a computer system. For instance, no one else has your fingerprint, palm-print, voice-print, facial characteristics, retinal vein patterns, infrared signatures, keyboard typing speeds, or penmanship.
Great care should be taken when storing biometrics. If someone was able to copy a biometric sample it could be used in an authentication. Biometrics can’t determine when a sample was generated.
The best biometrics are ones whose samples can be dated in some way. In other words, biometrics samples must be rendered useless after they have been used in an authentication. Imagine if someone got hold of your fingerprint. First, it’s hard to change your fingerprint. Assuming you haven’t changed your fingerprint, the stolen fingerprint could be used in subsequent authentications in perpetuity.
Voice Recognition is powerful when used with real-time generated phrases that the user must speak. In combination with Speech Recognition and unique, non-successive phrases, the user can positively identify the user. Without Speech Recognition and unique phrases, the system might be authenticating a playback, or copy, of biometric data.
Face Recognition is powerful when used with real-time generated phrases that the user must speak. In combination with Audio/Video Speech Recognition and unique, non-successive phrases the user can positively identify the user. Without Speech Recognition and unique phrases, the system might be authenticating a playback, or copy, of biometric data.
Identification of the physical person has great benefits to you in two ways. Firstly, nobody can break into your accounts, and secondly, criminals can be deterred from creating new accounts under an alias (and physical identification can aid in criminal prosecution).
There are lots of fast and easy to use biometrics, including fingerprints and facial and voice recognition. But a few can be eliminated from our “best” list because people don’t want to use them. Some retinal scanners require a puff of air and expensive specialized equipment, and many people find putting their face in contact with the scanning machines a great way to spread disease. Contact palm readers are even more likely to spread germs, bacteria and viruses. Fingerprint readers such as those on your Personal Computer (PC) might be acceptable, presuming you would be the only one using it.
Fingerprints and facial recognition software are vulnerable to replays and reproductions. There are various ways to verify that a sample is not a replay, and the strongest authentication technology will ensure that the biometrics being presented for authentication are genuine, not replicas or replays.
1.3 Identifies the Person to Everyone
Many technologies can be ruled out of our “best” list since it takes an expert to decipher the biometrics such as fingerprints. The average person can’t differentiate a trusted user from a criminal based on glancing at their index finger, and, since fingerprints can be easily manufactured, fingerprint recognition software simply can’t provide irrefutable authentication.
An important factor in the acceptance of biometric technologies is its usability. Palm readers, for instance, have met with early replacement due to employee revolts; there are simply not enough sanitary wipes around when you need one.
Since everyone is familiar with passwords, a good measure of usability can be derived by comparing a few attributes of password usability versus biometric technologies.
A significant problem with passwords is remembering them. If having to change your password each month doesn’t drive you crazy, the character requirements will. Let’s see, does this one require 8 characters including punctuation, a number, and a capital letter? And can I use it again after 3 changes? The very problem with passwords, though, is that the authenticating computer system can’t tell who typed in the password and therefore passwords are subject to theft.
Fingerprints can work well as an identifier, but only if used in combination with secure connections, virus protection and a small cadre of other safeguards.
On the positive side, video cameras are in use at every convenience store and bank across the continent. All of us know how to be seen in front of a camera. Some like it better than others. It’s the same with Voice Recognition, everyone knows how to use a microphone. Some like to hear themselves more than others.
3 Verifying the Authentication Data
The trouble with all of the authentication technologies is that it’s difficult to determine if the sample submitted is genuine. It is not possible to know who actually typed a password or submitted a fingerprint. There is no advantage to using a biometric sample that cannot be distinguished from a replay.
Besides stealing passwords and replicating fingerprints, scammers can create accounts — and an identity — using fake data. In the case of a criminal using a recorded biometric, they can assume someone else’s identity, avoiding prosecution and making someone else’s life miserable.
On the other hand, audio/video data can be verified and determined to be genuine — not a replay.
4 Uniquely Identifying a Person
We need look no further than the last presidential campaign to know that our privacy, finances and relationships are potentially at risk; anyone can be impersonated with password protection. Hackers don’t discriminate between political parties or gender; both Sarah Palin’s Yahoo mail account and Barack Obama’s Twitter account fell victim to security breach.
The demand to uniquely identify ourselves during login is the natural consequence of the failed attempts to authenticate using “things we have” that can be stolen, “things we know” that others can discover or some combination of the two. The combination of something you know and something you have is sometimes referred to as two factor authentication. For some limited applications, two-factor authentication can work. At the end of the authentication, however, the system can’t verify that it’s you and not a co-worker or maybe a close relative.
Biometrics are in wide use for many proctored applications. Clear®, the retinal scanning technology is used in some major airports. This system works because of the constant presence of a third-party trusted person. A user submits a reference sample during the enrollment process in the presence of a trusted individual. Once enrolled, the user goes to the airport and submits their eye to a reader in the presence of a trusted individual. Because all the biometric submissions are performed in the presence of a trusted individual, all of the submissions are known to be genuine.
5 Verifying the Verification Data
Is it possible to determine if a biometrics sample is genuine without a trusted person present and watching?
Biometrics have a clear advantage over other technologies. No one can impersonate you or login to one of your accounts without genuine biometrics, fraudsters could be identified and prevented from creating accounts.
But not all biometrics can be verified without the presence of a trusted individual. As a practical matter, mass market applications such as eCommerce, social networks, and on-line banking require self service account creation. But corporations also benefit from self-service account creation, use of commodity hardware, and software.
A helpful way to think about verifiable/useful biometrics is whether or not the data is changing a little with every sample. For instance, we humans don’t even say our own names exactly the same every time. There are variables — background noise, intonation, volume. That type of variable data is dynamic.
Static data, on the other hand, does not change between logins or like passwords, changes sporadically. Because of this, static data is subject to theft. This type of data we’ll refer to as static because it doesn’t change very much. The static data sword cuts two ways:
- If the static data is captured by a criminal, your account is not safe.
- Captured data can be passed along to others which means that the person logging in is not tied to the data. This enables impersonation.
Static biometrics that will NOT work for self-service account creation applications — if used without some external verification mechanism — include fingerprints, retinal scan, and facial recognition. Each can be easily replicated by a criminal.
Dynamic technologies, on the other hand, can determine you are you, through behavioral attributes such as your handwriting, your voice, and, via video technology, your face an mannerisms.
But even dynamic technologies need some help to verify if the submitted sample is genuine.
6 The Audio/Video Challenge
Audio/Video (AV) is a win all the way around.
- It’s easy; A user simply speaks while facing a webcam.
- It’s fast; A person can be positively identified using AV in just a few seconds.
- Webcams and microphones are low cost and are already built into most portable computing platforms available to consumers.
- The AV provides the data for positive identification to everyone. No expert is required to decipher the data.
- The most important aspect of AV is that it is verifiable. With a few spoken words and a little help from some technology borrowed from other disciplines, the speaker can be identified and authenticated for a singular login.